Exercises for Capability Platforms

I broached a question today (2012 Nov 30) at FRIAM about mutually suspicious programs interacting natively within an E-vat.
I came thinking it was not possible but the conversation convinced me that it was possible or nearly so.
Here are the ideas that I took away from the conversation.

I operate a computer which hosts an E-vat, and I write code for that vat.
There is another computer somewhere with an E-vat called V.
I trust the operator of V and some code H, but not other code Y that both run in vat V.
The nature of H at V will emerge below.
I want to send my proprietary X code to V in order to interact with Y natively—with no membranes.
The operator of V is willing but does not want to become involved.
He has provided H so as not to become involved.
H is a perfectly normal E program playing by current E rules.

As an initial condition presume that I have, within my vat, a remote reference to H and that H behaves as described below.
I send to H an AST (abstract syntax tree) of my proprietary program.
H performs an Eval on the AST and gets a value X' that is a function whose parameters encompass all of the free variables of the function body—i.e. there are no free variables in X'.
(I view stdout as a free variable.)
Along with the AST, I send several other remote references, including to one to Y.
Somehow the references to Y become local, since they are indeed local to V and H invokes X' with the local references.
There may be other standard local facilities in V that I trust and H also includes references to those as it invokes X'.

It seems to me that my code can invoke Y without communications delay, or even membrane overhead.
My code cannot violate the abstractions of Y nor conversely.
As it stands this does not achieve confinement although it may be part of a confinement pattern.

There remain in this pattern problems of resource management—space and time.

During the discussion the question arose of whether the AST was pure data.
Here I assume that it is.
The Scheme that I run yields 6 for “((eval (lambda (x) (+ x 1))) 5)”.
I consider this a bug; I think it should reject this construct.
“((eval (quote (lambda (x) (+ x 1)))) 5)” is fine and it also yields 6.
Perhaps it would be possible to extend the AST to allow remote references within but I would have to see the specs.

Mark Miller comments on this as follows, and he is entirely correct:

As to whether this is support for “mutual suspicion”, we need the usual separation of integrity/safety vs availability/liveness vs confidentiality. Within a single E vat as you describe, there is perfect (as far as we can tell) support for integrity/safety among mutually suspicious bits of code, such as X and Y, and almost perfect lack of support for availability/liveness. In other words, under your assumptions, you know Y can’t cause X to do bad things or steal from X the ability to do bad things that X wouldn’t do. But Y can prevent X from doing anything. Bad things won’t happen. But good things may or may not happen.

The best that this pattern can do is provide strong circumstantial evidence that X or Y is thwarting the purposes of the other by merely looping or exhausting storage.
If Y is designed to serve some larger class of clients then X can thus thwart this and perhaps he would have to blame H and remove it.
Y can only defeat the purposes of X by means that were already available to Y when X was operating remotely.